cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5539
Views
0
Helpful
15
Replies

ASA 5506X Traffic flow between interfaces

OldSchoolTechie
Level 1
Level 1

Dear all,


I am on 9.6 and trying to get traffic flowing between two interfaces. These have the same security level and are permitted to talk
using same-sec intra|inter. There is no routing in place, meaning everything is directly connected. To cut it short, here's the layout:
inside=192.168.1.254; LTE=192.168.5.1; outside has public WAN IP. I want to establish traffic between inside and LTE as a
prerequisite for PBR.

Symptom:

I seem to be unable to get past the interface, that is - i CAN ping from "LTE" to hosts in that segment (and of course within "inside" as well).ICMP is permitted, yes - but I cannot get a ping across these.


There is no ACL on any interface (as per the docs, you don't need it if you have the same sec-level in place).
There is NAT exemption in place for 192.168.5.0 against the inside and outside and itself in place, as well for a few VPN pools and subnets (all fine). The packet tracer reveals the following, and I am at my wits end......perhaps s/o can have a look into it.

packet-tracer input inside tcp 192.168.1.254 http 192.168.5.10 http......

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.5.10 using egress ifc  LTE

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,LTE) source static inside_net inside_net destination static LTE LTE no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface LTE
Untranslate 192.168.5.10/80 to 192.168.5.10/80

Phase: 3
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information:
ifc selected is not same as preferred ifc
Doing route lookup again on ifc  inside

Phase: 4
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.254 using egress ifc  inside

Result:
output-interface: LTE
output-status: up
output-line-status: up
Action: drop


TIA+Brgds,

Dan

15 Replies 15

First off, you do not need to have the NAT exempt, infact I would remove the inside to LTE NAT exempt all together.

Could you post a full running config (remember to remove any public IPs, usernames and passwords)?

you are correct in stating that you should not need an ACL on the interface if you have the same-security-traffic permit inter-interface (between two interfaces with same security level) and same-security-traffic permit intra-interface (hairpinning traffic on a single interface regardless of security level).

do the two subnets connect to the same switch?

does the switch have vlans configured with IPs in the two VLANs?  If so are these VLANs in different VRFs?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marius,

first off, thanks for taking your time for looking into that, really appreciate it.

Here's a sanitized running config. I posted the main Networking part which I suspect to contain the culprit. The crypto stuff and the likes of ssh etc. were omitted for reasons of clarity. I initially spoke of PBR which is configured here but not "switched on" an Interface because I lack the requirements for it; PBR would direct packets to a dead end.

Background Info, also answering your questions:

192.168.[3,4,7].0 are remote VPN Networks.

192.168.1.0/24 is the  inside. Hangs off a small GiE Switch.

192.168.5.0 is the LTE Segment.

The LTE unit is wired using CAT6 cable straight 1:1 to giE3/1. No switching here.

ASA Version 9.5(2)
!
hostname ******
domain-name *******
enable password ******************
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq Domain
names
ip local pool vpn_clientpool 172.16.4.1-172.16.4.10 mask 255.255.255.0
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 pppoe client vpdn group ******
 ip address pppoe setroute
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet1/3
 nameif LTE
 security-level 100
 ip address 192.168.5.1 255.255.255.0
!
[snip]
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.2
 domain-name armato.de
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network *****
 host 192.168.1.2
object network inside_net
 subnet 192.168.1.0 255.255.255.0
object network vpn_clientpool
 subnet 172.16.4.0 255.255.255.0
object network jt_net
 subnet 192.168.2.0 255.255.255.0
object network cg_net
 subnet 192.168.4.0 255.255.255.0
object network cg_net_li
 subnet 192.168.7.0 255.255.255.0
object network LTE
 subnet 192.168.5.0 255.255.255.0
object network *******************
 host 192.168.1.1

access-list VPN_Inside remark *****
access-list VPN_Inside standard permit 192.168.1.0 255.255.255.0
access-list L2l extended permit ip object inside_net object jt_net
access-list L2l extended permit ip object inside_net object cg_net
access-list L2l extended permit ip object inside_net object cg_net_li
access-list LocalLanAccess standard permit 192.168.4.0 255.255.255.0
access-list LocalLanAccess standard permit 172.16.4.0 255.255.255.0
access-list LocalLanAccess standard permit 192.168.1.0 255.255.255.0
access-list LocalLanAccess standard permit 192.168.7.0 255.255.255.0
access-list LocalLanAccess standard permit 192.168.5.0 255.255.255.0
access-list LTE_WAN extended permit tcp host 192.168.1.1 any eq www
access-list LTE_WAN extended permit tcp host 192.168.1.1 any eq https
pager lines 24

nat (inside,outside) source static inside_net inside_net destination static vpn_clientpool vpn_clientpool no-proxy-arp route-lookup
nat (inside,outside) source static inside_net inside_net destination static jt_net jt_net no-proxy-arp route-lookup
nat (inside,outside) source static inside_net inside_net destination static cg_net cg_net no-proxy-arp route-lookup
nat (inside,outside) source static inside_net inside_net destination static cg_net_li cg_net_li no-proxy-arp route-lookup
nat (inside,LTE) source static inside_net inside_net destination static LTE LTE no-proxy-arp route-lookup
!
object network obj_any
 nat (any,outside) dynamic interface
object network inside_net
 nat (inside,outside) dynamic interface dns
!
route-map LTE permit 10
 match ip address LTE_WAN
 set ip next-hop verify-availability 192.168.5.10 1 track 1
 set interface LTE

You have some accessories lists configured. Are you sure that the LTE-WAN acl is not assigned to the LTE interface? 

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

As you can see, there is no access-group on the Interface - that means no ACL is in effect. The LTE_WAN ACL you see is intended for PBR control.

your packet-tracer is incorrect.  You are using a source IP of the inside interface which is why it is failing.  try it using 192.168.1.10 for example.

How are you testing traffic between the two subnets?  Ping?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marius, you cannot use the PT on Interfaces other than those you have on the Hardware; to my Knowledge it is unable to intercept stuff coming thru the ASA.

Anyway, testing back and forth using ping between LTE and inside -> no avail.

And yes, ICMP is permitted.

First off packet-tracer only simulates a packet passing through the ASA and because traffic can not be simulated using an ASA asigned IP you need to use a different IP than that is configured on the ASA interface.

If these are Windows machines have you turned off the windows firewall while testing?

Please post the packet tracer output using IPs other than that is configured on the ASA interfaces.

If this still fails and windows firewall is turned off please post a full running config of your ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Sorry for being late re. the weekend.

Please find below what the PT yields. Interesting enough - upon pinging manually - I can observe (using deb ic tr ) only the request from .1.2 to 5.10 but nothing comes back. Pinging from 5.1. to 5.10 yields request and reply. And yes, the windows F/W is of course off (deactivated) and no other security software is out there.

packet-tracer input inside icmp 192.168.1.2 8 0 192.168.5.10 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.5.10 using egress ifc  LTE

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,LTE) source static inside_net inside_net destination static LTE LTE no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface LTE
Untranslate 192.168.5.10/0 to 192.168.5.10/0

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.2 using egress ifc  inside

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,LTE) source static inside_net inside_net destination static LTE LTE no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.1.2/0 to 192.168.1.2/0
 Forward Flow based lookup yields rule:
 in  id=0x7fe99f7d2a60, priority=6, domain=nat, deny=false
        hits=14, user_data=0x7fe9a0f68610, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=192.168.5.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=LTE

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fe9a0e40510, priority=2, domain=permit, deny=false
        hits=26, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fe99ec89c40, priority=0, domain=nat-per-session, deny=true
        hits=624702, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fe99f77c9c0, priority=0, domain=inspect-ip-options, deny=true
        hits=258460, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fe99f77c1d0, priority=66, domain=inspect-icmp-error, deny=false
        hits=3717, user_data=0x7fe99f77b740, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 9
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fe9a0cf3030, priority=13, domain=debug-icmp-trace, deny=false
        hits=3715, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,LTE) source static inside_net inside_net destination static LTE LTE no-proxy-arp route-lookup
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fe9a1123a50, priority=6, domain=nat-reverse, deny=false
        hits=15, user_data=0x7fe9a0f6c0a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=192.168.5.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=LTE

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fe9a0ce3330, priority=0, domain=user-statistics, deny=false
        hits=111, user_data=0x7fe9a06910d0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=LTE

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 308937, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
output-interface: LTE
output-status: up
output-line-status: up
Action: allow

Please post a full running config (please remember to remove any public IPs, usernames and passwords).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Here goes; crypto certs omitted, remainder is anonymized.
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool vpn_clientpool 172.16.4.1-172.16.4.10 mask 255.255.255.0
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 pppoe client vpdn group [SNIP]
 ip address pppoe setroute
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet1/3
 nameif LTE
 security-level 100
 ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.2
 domain-name [SNIP].de
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network W2K8SBS
 host 192.168.1.2
object network inside_net
 subnet 192.168.1.0 255.255.255.0
object network vpn_clientpool
 subnet 172.16.4.0 255.255.255.0
object network jt_net
 subnet 192.168.2.0 255.255.255.0
object network cg_net
 subnet 192.168.4.0 255.255.255.0
object network cg_net_li
 subnet 192.168.7.0 255.255.255.0
object network LTE
 subnet 192.168.5.0 255.255.255.0
object network W2K8TSSERV
 host 192.168.1.1
object-group service [SNIP]_Outside tcp
 port-object eq https
 port-object eq www
access-list VPN_Inside remark [SNIP] Userland
access-list VPN_Inside standard permit 192.168.1.0 255.255.255.0
access-list L2l extended permit ip object inside_net object jt_net
access-list L2l extended permit ip object inside_net object cg_net
access-list L2l extended permit ip object inside_net object cg_net_li
access-list LocalLanAccess standard permit 192.168.4.0 255.255.255.0
access-list LocalLanAccess standard permit 172.16.4.0 255.255.255.0
access-list LocalLanAccess standard permit 192.168.1.0 255.255.255.0
access-list LocalLanAccess standard permit 192.168.7.0 255.255.255.0
access-list LocalLanAccess standard permit 192.168.5.0 255.255.255.0
access-list LTE_WAN extended permit tcp host 192.168.1.1 any eq www
access-list LTE_WAN extended permit tcp host 192.168.1.1 any eq https
pager lines 24
logging enable
logging timestamp
logging console debugging
logging trap errors
logging asdm notifications
mtu outside 1492
mtu inside 1500
mtu LTE 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name [SNIP]_Outside attack action alarm drop
ip audit interface outside [SNIP]_Outside
ip audit attack action alarm drop
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any LTE
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside_net inside_net destination static vpn_clientpool vpn_clientpool no-proxy-arp route-lookup
nat (inside,outside) source static inside_net inside_net destination static jt_net jt_net no-proxy-arp route-lookup
nat (inside,outside) source static inside_net inside_net destination static cg_net cg_net no-proxy-arp route-lookup
nat (inside,outside) source static inside_net inside_net destination static cg_net_li cg_net_li no-proxy-arp route-lookup
nat (inside,LTE) source static inside_net inside_net destination static LTE LTE no-proxy-arp route-lookup
!
object network obj_any
 nat (any,outside) dynamic interface
object network inside_net
 nat (inside,outside) dynamic interface dns
!
route-map LTE permit 10
 match ip address LTE_WAN
 set ip next-hop verify-availability 192.168.5.10 1 track 1
 set interface LTE
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server [SNIP] protocol radius
aaa-server [SNIP] (inside) host 192.168.1.2
 key *****
 radius-common-pw [SNIP]
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
sysopt noproxyarp inside
sla monitor 1
 type echo protocol ipIcmpEcho 192.168.5.1 interface LTE
 frequency 10
sla monitor schedule 1 life forever start-time now
service sw-reset-button
crypto ipsec ikev1 transform-set ARM_0 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ARM_1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ARM_2 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ARM_3 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map ARM_MAP 65535 set pfs
crypto dynamic-map ARM_MAP 65535 set ikev1 transform-set ARM_0 ARM_1 ARM_2 ARM_3
crypto dynamic-map ARM_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic ARM_MAP
crypto map outside_map interface outside
crypto ca trustpoint [SNIP].[SNIP].de
 fqdn [SNIP].[SNIP].de
 subject-name CN=[SNIP].[SNIP].de,OU=IT,O=[SNIP] ... [SNIP]
 keypair [SNIP].[SNIP].de
 crl configure
crypto ca trustpoint primary_rootca
 enrollment terminal
 crl configure
crypto ca trustpoint secondary_rootca
 enrollment terminal
 fqdn [SNIP].[SNIP].[SNIP]
 crl configure
crypto ca trustpool policy

crypto ikev1 enable outside
crypto ikev1 policy 5
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
client-update enable
!
track 1 rtr 1 reachability
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.3.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh 192.168.7.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpdn group [SNIP] request dialout pppoe
vpdn group [SNIP] localname [SNIP]
vpdn group [SNIP] ppp authentication pap
vpdn username [SNIP] password [SNIP] store-local
no vpn-addr-assign aaa
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 206.246.122.250 source outside prefer
ssl cipher default custom "RC4-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES256-SHA:DES-CBC3-SHA"
ssl trust-point [SNIP].[SNIP].de outside
ssl trust-point [SNIP].[SNIP].de inside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.12020-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy [SNIP]policy internal
group-policy [SNIP]policy attributes
 dns-server value 192.168.1.2
 vpn-simultaneous-logins 5
 vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
 group-lock value [SNIP]_mobility
 pfs enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value LocalLanAccess
 split-dns value firma.local
 intercept-dhcp enable
 webvpn
  anyconnect modules value dart vpngina
  anyconnect ask none default anyconnect
dynamic-access-policy-record DfltAccessPolicy
username [SNIP] password [SNIP] encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group [SNIP]_mobility type remote-access
tunnel-group [SNIP]_mobility general-attributes
 address-pool vpn_clientpool
 authentication-server-group [SNIP]
 authentication-server-group (outside) [SNIP]
 default-group-policy [SNIP]policy
 password-management
tunnel-group [SNIP]_mobility webvpn-attributes
 group-alias 1 disable
 group-alias [SNIP]_mobility enable
tunnel-group [SNIP]_mobility ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group [SNIP]_mobility ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
tunnel-group 192.168.2.0 type ipsec-l2l
tunnel-group 192.168.2.0 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 192.168.7.0 type ipsec-l2l
tunnel-group 192.168.7.0 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  id-randomization
  id-mismatch action log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Add the following:

policy-map global_policy
 class inspection_default

   inspect icmp

Then you should be able to ping between the two subnets.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

FAIL. Same behavior as before. Can observe request, no echo (from 192.168.1.1 -> 5.10 ), can observe request AND echo from 5.1. to 5.10

set up a capture on the LTE interface.

cap CAPLTE interface LTE match ip host 192.168.1.1 host 192.168.5.10

If you see the the packet exit the LTE inter face i.e you see an entry for 192.168.1.1 towards 192.168.5.10 but nothing coming back then the issue is on 192.168.5.10 or the network between this PC/server and the ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Here goes:

4 packets captured

   1: 22:27:29.674907       192.168.1.1 > 192.168.5.10: icmp: echo request
   2: 22:27:34.244814       192.168.1.1 > 192.168.5.10: icmp: echo request
   3: 22:27:39.252809       192.168.1.1 > 192.168.5.10: icmp: echo request
   4: 22:27:44.244387       192.168.1.1 > 192.168.5.10: icmp: echo request

Makes me go bonkers, Marius. Never observed anything similar before.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: